× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 24370e25a8a9540bdf877fa9f9d21cf83dafa4285a762f393036c9f0ccb807b2
File name: f6d9f8d786903f46c9a6e3e5697276ad
Detection ratio: 44 / 51
Analysis date: 2014-04-08 02:38:34 UTC ( 4 years, 8 months ago )
Antivirus Result Update
Ad-Aware Backdoor.Bot.161021 20140408
Yandex TrojanSpy.Zbot!kRg5HKTLN+I 20140407
AhnLab-V3 Spyware/Win32.Zbot 20140407
AntiVir TR/Crypt.XPACK.Gen7 20140408
Antiy-AVL Trojan[Spy]/Win32.Zbot 20140407
Avast Win32:Malware-gen 20140407
AVG PSW.Generic10.ATTK 20140407
Baidu-International Trojan.Win32.Zbot.aMF 20140407
BitDefender Backdoor.Bot.161021 20140408
Bkav W32.Cloda19.Trojan.f01b 20140407
CAT-QuickHeal TrojanSpy.Zbot.gwvj 20140407
CMC Trojan-Spy.Win32.Zbot!O 20140407
Commtouch W32/Backdoor.TOMD-2933 20140408
Comodo UnclassifiedMalware 20140408
DrWeb Trojan.PWS.Panda.2977 20140408
Emsisoft Backdoor.Bot.161021 (B) 20140408
ESET-NOD32 Win32/Spy.Zbot.AAO 20140408
F-Secure Backdoor.Bot.161021 20140408
Fortinet W32/Zbot.ASJ!tr 20140407
GData Backdoor.Bot.161021 20140408
Ikarus Trojan-Spy.Win32.Zbot 20140408
Jiangmin TrojanSpy.Zbot.cvzd 20140407
K7AntiVirus Password-Stealer ( 0040f1d21 ) 20140407
K7GW Password-Stealer ( 0040f1d21 ) 20140407
Kaspersky Trojan-Spy.Win32.Zbot.gwvj 20140408
Kingsoft Win32.Malware.Generic.a.(kcloud) 20140408
Malwarebytes Virus.Expiro 20140408
McAfee PWSZbot-FCC!F6D9F8D78690 20140408
McAfee-GW-Edition PWSZbot-FCC!F6D9F8D78690 20140408
Microsoft PWS:Win32/Zbot.AGP 20140408
eScan Backdoor.Bot.161021 20140408
NANO-Antivirus Trojan.Win32.Zbot.bezbta 20140408
Norman ZBot.DIPL 20140407
nProtect Trojan/W32.Agent.191488.LE 20140408
Panda Trj/Genetic.gen 20140407
Qihoo-360 HEUR/Malware.QVM07.Gen 20140408
Sophos AV Mal/EncPk-AIN 20140408
SUPERAntiSpyware Trojan.Agent/Gen-Festo 20140408
Symantec WS.Reputation.1 20140408
TotalDefense Win32/Zbot.LZbBfD 20140407
TrendMicro TROJ_GEN.R0CBC0DB314 20140408
TrendMicro-HouseCall TROJ_GEN.R0CBC0DB314 20140408
VBA32 TScope.Malware-Cryptor.SB 20140407
VIPRE Trojan.Win32.EncPk.ain (v) 20140407
AegisLab 20140408
ByteHero 20140408
ClamAV 20140408
F-Prot 20140408
Rising 20140406
TheHacker 20140407
ViRobot 20140407
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-03-21 21:14:45
Entry Point 0x0000533F
Number of sections 4
PE sections
PE imports
ScaleViewportExtEx
GetGlyphIndicesW
EndDoc
CreateEllipticRgnIndirect
ExtCreateRegion
BitBlt
CreateRectRgnIndirect
CreateDIBSection
PolyBezierTo
GetCharABCWidthsI
GetSystemTime
GetLastError
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
GetOEMCP
LCMapStringA
HeapDestroy
HeapAlloc
GetEnvironmentStringsW
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetModuleFileNameA
GetLocalTime
FreeEnvironmentStringsA
GetStartupInfoA
GetCPInfoExW
GetEnvironmentStrings
CompareStringW
SetVolumeMountPointA
GetCommandLineW
GetCPInfo
UnhandledExceptionFilter
MultiByteToWideChar
GetStartupInfoW
FreeEnvironmentStringsW
GetCommandLineA
GetProcAddress
SetStdHandle
SetFilePointer
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
WriteFile
GetCurrentProcess
CompareStringA
GetACP
HeapReAlloc
GetStringTypeW
GetBinaryTypeA
SetEnvironmentVariableA
TerminateProcess
GetTimeZoneInformation
HeapCreate
VirtualFree
GetFileType
ExitProcess
GetVersion
VirtualAlloc
CloseHandle
Ord(160)
Ord(402)
Ord(166)
Ord(224)
Ord(37)
EnumPropsA
IsCharUpperW
TranslateMessage
OemToCharA
GetAltTabInfoW
Number of PE resources by type
RT_ACCELERATOR 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 2
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2009:03:21 22:14:45+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
34816

LinkerVersion
6.0

FileAccessDate
2014:04:08 03:53:34+01:00

EntryPoint
0x533f

InitializedDataSize
402944

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

FileCreateDate
2014:04:08 03:53:34+01:00

UninitializedDataSize
0

File identification
MD5 f6d9f8d786903f46c9a6e3e5697276ad
SHA1 b5e5db79f60598fbb2124df525a1a3e599d3e082
SHA256 24370e25a8a9540bdf877fa9f9d21cf83dafa4285a762f393036c9f0ccb807b2
ssdeep
3072:6ivyvhkacQvZcoBKv+o26m5FYWCr72+Lcs88XxIS4bbiQOhDMTEyl218PR8Ghxo:BkhdLBy+3zpC3Lcs9V4bbiHhdyl2aPW

File size 187.0 KB ( 191488 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe armadillo

VirusTotal metadata
First submission 2012-12-14 21:53:52 UTC ( 5 years, 12 months ago )
Last submission 2012-12-14 21:53:52 UTC ( 5 years, 12 months ago )
File names f6d9f8d786903f46c9a6e3e5697276ad
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests
UDP communications